The point is: you open a new SPWeb object (i.e. you don't use the contextual SPContext.Current.Web managed automatically by SharePoint on each request).
Therefore, no FormDigest can help here: FormDigest ensures security on POST request for the contextual SPWeb only.
AllowUnsafeUpdates helps here because it deactivates the security checks (both for GET ...